What starting position does this attack require?

The first step is TSO logon → mainframe shell (T1078) — a initial access primitive. Assumed environment: target operates IBM z/OS with TN3270 endpoint reachable from the corporate LAN.

What is the final impact of this kill-chain?

The final step lands on Drop into OMVS / USS for modern post-ex (MF-USS-SHELL), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

z/OS TN3270 → RACF userID brute → mainframe shell

Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

TSO logon → mainframe shell

T1078 · Valid Accounts

Discovery

Enumerate userIDs (HR pattern, public records)

T1087 · Account Discovery

Discovery

Find TN3270 endpoint (port 23 / 992)

N-NMAP-INTERNAL · Internal Nmap Sweep

Credential Access

RACF password brute via TN3270 client

MF-RACF-BRUTE · z/OS RACF / TopSecret Brute

Privilege Escalation

Surrogate JCL job for privilege escalation

MF-JCL-OWNER · z/OS JCL / Surrogate Abuse

Execution

Drop into OMVS / USS for modern post-ex

MF-USS-SHELL · z/OS UNIX System Services Shell

§ Context

Assumed environment: target operates IBM z/OS with TN3270 endpoint reachable from the corporate LAN. RACF policy allows short passwords or PassPhrases not enforced.

§ Steps

01
TSO logon → mainframe shellInitial Access
T1078— Valid Accounts
02
Enumerate userIDs (HR pattern, public records)Discovery
T1087— Account Discovery
03
Find TN3270 endpoint (port 23 / 992)Discovery
N-NMAP-INTERNAL— Internal Nmap Sweep
04
RACF password brute via TN3270 clientCredential Access
MF-RACF-BRUTE— z/OS RACF / TopSecret Brute
05
Surrogate JCL job for privilege escalationPrivilege Escalation
MF-JCL-OWNER— z/OS JCL / Surrogate Abuse
06
Drop into OMVS / USS for modern post-exExecution
MF-USS-SHELL— z/OS UNIX System Services Shell

§ References

T1078Valid Accounts
T1087Account Discovery

§ Frequently asked

What is the "z/OS TN3270 → RACF userID brute → mainframe shell" attack path?: Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is TSO logon → mainframe shell (T1078) — a initial access primitive. Assumed environment: target operates IBM z/OS with TN3270 endpoint reachable from the corporate LAN.
What is the final impact of this kill-chain?: The final step lands on Drop into OMVS / USS for modern post-ex (MF-USS-SHELL), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

z/OS TN3270 → RACF userID brute → mainframe shell

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Industroyer2 IEC-104 substation hijack

Unauth DICOM PACS → mass medical-image exfil

BACnet HVAC → disrupt building operations

Slack token in CI log → DM history → vendor mailbox compromise

Reconfigure MFP LDAP → harvest service-account credentials

Reachable Modbus PLC → direct register override